# Usage: semgrep scan -f semgrep.yml
rules:
- id: rule-0
  message: "http requests made without *fiber.Ctx"
  languages: [go]
  severity: WARNING
  patterns:
  - pattern-either:
    - pattern: |
        http.UnwrapWebAPIRequest(...)
    - pattern: |
        http.WebAPIRequest(...)
  - pattern-not-inside: |
      func $FUNC(c *fiber.Ctx, ...) $RET {
        ...
      }
# note: the below two rules autofix have slight problems. where `http` is sometimes "net/http". need minor manual tweaking after --autofix.
- id: rule-1-0
  message: "find http requests made to Pixiv"
  languages: [go]
  severity: INFO
  patterns:
  - pattern: |
      http.UnwrapWebAPIRequest($A, $B)
  fix: |
    http.UnwrapWebAPIRequest(c.Context(), $A, $B)
- id: rule-1-1
  message: "find http requests made to Pixiv"
  languages: [go]
  severity: INFO
  patterns:
  - pattern: |
      http.WebAPIRequest($A, $B)
  fix: |
    http.WebAPIRequest(c.Context(), $A, $B)
- id: rule-2
  message: "gjson.Get without gjson.Valid"
  languages: [go]
  severity: ERROR
  patterns:
  # - pattern-inside: |
  #     func $FUNC(...) $RET {
  #       ...
  #     }
  - pattern: |
      gjson.Get($X, ...)
  - pattern-not-inside: |
      if !gjson.Valid($X) {
        $...DISCARD
      }
      ...
- id: rule-3
  message: "http request without context"
  languages: [go]
  severity: WARNING
  # severity: INVENTORY
  patterns:
  - pattern-inside: |
      $REQ, $ERR := http.NewRequest($...ARGV)
      ...
  - pattern-not: |
      $REQ, $ERR := http.NewRequest($...ARGV)
      if $ERR != nil {
        ...
      }
      $REQ = $REQ.WithContext($CTX)
      ...
  fix: |
      $REQ, err := http.NewRequest($...ARGV)
      if err != nil {
        return err
      }
      $REQ = $REQ.WithContext(c.Context())
- id: rule-4
  message: "fmt.Sprint on string"
  languages: [go]
  severity: WARNING
  pattern: |
    fmt.Sprint(($S : string))
- id: rule-5
  message: "unhandled error"
  languages: [go]
  severity: WARNING
  pattern: |
    (_ : error) = ...
- id: rule-6
  message: "raw UserArtCategory string"
  languages: [go]
  severity: WARNING
  pattern-either:
  - pattern: |
      ($A : UserArtCategory) == "$B"
